Preparations
Before the Azure AD Discovery connector can be configured, the following steps must be done in Microsoft Azure.
Prerequisites
An Azure user account with admin privileges is required. To query the necessary Graph endpoints, the Azure application permissions needed include:
-
Read users
-
Read devices
-
Read audit logs
Register an Azure application
-
In the Microsoft Azure portal, and in the main menu, select App registrations.
-
Select New registration.
-
In Name, enter a suitable name for the app such as
Azure AD Discovery SIM app
. -
Set Supported account types to Accounts in this organizational directory only.
-
To save the new application, select Register.
Grant Microsoft Graph API permissions to access the Azure Active Directory data
The Azure AD Discovery connector uses a Microsoft Azure application with Graph API access to gather the Azure AD data.
-
In the Microsoft Azure portal, select App registrations.
-
Select the app you created according to the procedure in Register an Azure application.
-
Select API Permissions and then select Add a permission in this view.
-
In Request API permissions, select Microsoft Graph.
-
Select Application permissions, and configure the list of permissions:
-
Select User -> User.Read.All (Read all users' full profiles).
-
Select Device -> Device.Read.All (Read all devices).
-
Select AuditLog -> AuditLog.Read.All (Read all audit log data).
This is for getting the
SignInActivity
field in the user objects andDirectoryAudit
objects to findWhenChanged
for users and devices.
-
-
If the User -> User.Read permission is checked in Delegated permissions, then clear the checkbox.
-
Select Add permissions.
-
Select Grant admin consent for [your company name].
noteAn admin user must perform this step.
Locate Directory tenant ID
Locate the ID of the Microsoft Azure Active Directory to retrieve value from. The value is used when configuring the connector.
-
In the Microsoft Azure portal, navigate to the app you created according to the procedure in Register an Azure application.
-
Make a note of the value in the Directory (tenant) ID. This value will be used as the Directory id when configuring the connector.
Locate Application client ID
The ID of the application that will connect to Microsoft Azure Active Directory. The value is used when configuring the connector.
-
In the Microsoft Azure portal, navigate to the app you created according to the procedure in Register an Azure application.
-
Make a note of the value of the Application (client) ID field. The value will be used as the Application id when configuring the connector.
Locate client secret
Locate the key that will be used as the secret in the connection to Microsoft Azure. The value is used when configuring the connector.
-
In the Microsoft Azure portal, navigate to the app you created according to the procedure in Register an Azure application.
-
Select Certificates & secrets.
-
Create a new client secret using the following information:
-
Select New client secret.
-
In Add a client secret, enter a suitable Description for the client secret.
-
In Expires, set a suitable expiration date.
noteThe new client secret needs to be regenerated after the set expiration time. This also means that the connector needs to be reconfigured.
-
-
Select Add. The client secret is shown.
-
Note the value of the client secret. This value is used as the Application secret when configuring the connector.
After completing this task, follow the general procedure to Configure the Azure AD Discovery connector.
The connector makes API calls to the vendor to Retrieved information.
Flexera does not own the third party trademarks, software, products, or tools (collectively, the "Third Party Products") referenced herein. Third Party Product updates, including user interface updates, may not be reflected in this content.